Fixing security vuln by tightening race condition window.

A proper fix for this feature requires reworking binder permission
checking to take the selinux context and not the pid. This is feature
work that should be done for P to properly fix these race conditions
that occur elsewhere in the code.

Bug: 68217699
Test: KeyStore keygen permissions cannot be bypassed through PID cycling
Change-Id: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
Merged-In: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
(cherry picked from commit ef4f067c03543d8c8f2f8218bc69af12692ba000)
(cherry picked from commit 05fbbe5f3d47454a85da374cad9b54e4978c2c70)

1 files changed, 6 insertions, 1 deletions

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index eb5fe86b..be13a7b2 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -693,6 +693,8 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name,
                                                        const hidl_vec<uint8_t>& entropy, int uid,
                                                        int flags,
                                                        KeyCharacteristics* outCharacteristics) {
+    // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
+    uid_t originalUid = IPCThreadState::self()->getCallingUid();
     uid = getEffectiveUid(uid);
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
@@ -705,7 +707,10 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name,
     }
 
     if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
-        if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
+        if (!checkBinderPermission(P_GEN_UNIQUE_ID) &&
+              originalUid != IPCThreadState::self()->getCallingUid()) {
+            return ResponseCode::PERMISSION_DENIED;
+        }
     }
 
     bool usingFallback = false;